Skip to content

Commit 9d561b1

Browse files
yangm2claude[bot]
yangm2
and
claude[bot]
authored
fix: implement CORS security to prevent unauthorized cross-origin requests (#179)
* fix: implement CORS security to prevent unauthorized cross-origin requests - Add Flask-CORS dependency to pyproject.toml - Configure strict origin allowlist for tenantfirstaid.com domains - Add development localhost origins when ENV=dev - Enable credentials support for session handling - Reject requests from unauthorized origins at server level Fixes #94 Co-authored-by: yangm2 <[email protected]> * fix: correct import order in app.py to comply with linting standards Co-authored-by: yangm2 <[email protected]> * fix merge conflicts * fix merge conflicts again --------- Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>
1 parent 282f1a4 commit 9d561b1

File tree

3 files changed

+271
-221
lines changed

3 files changed

+271
-221
lines changed

backend/pyproject.toml

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -5,10 +5,11 @@ version = "0.2.0"
55
requires-python = ">=3.12"
66
dependencies = [
77
"flask>=3.1.1",
8-
"flask-mailman",
9-
"Flask_Limiter",
10-
"xhtml2pdf",
11-
"redis",
8+
"flask-mailman>=1.1.1",
9+
"Flask_Limiter>=3.12",
10+
"xhtml2pdf>=0.2.17",
11+
"redis>=6.4.0",
12+
"flask-cors>=4.0.0",
1213
"valkey>=6.1.0",
1314
"gunicorn>=23.0.0",
1415
"google-auth>=2.40.3",

backend/tenantfirstaid/app.py

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
from flask_mailman import Mail
44
from flask_limiter import Limiter
55
from flask_limiter.util import get_remote_address
6+
from flask_cors import CORS
67
import os
78
import secrets
89

@@ -38,6 +39,24 @@ def build_valkey_uri():
3839
app=app,
3940
storage_uri=build_valkey_uri(),
4041
)
42+
# Configure CORS with strict origin validation
43+
ALLOWED_ORIGINS = [
44+
"https://tenantfirstaid.com",
45+
"https://www.tenantfirstaid.com",
46+
]
47+
48+
# Add localhost origins for development
49+
if os.getenv("ENV", "dev") == "dev":
50+
ALLOWED_ORIGINS.extend(
51+
[
52+
"http://localhost:3000",
53+
"http://127.0.0.1:3000",
54+
"http://localhost:5173", # Vite default
55+
"http://127.0.0.1:5173",
56+
]
57+
)
58+
59+
CORS(app, origins=ALLOWED_ORIGINS, supports_credentials=True)
4160

4261
# Configure Flask sessions
4362
app.secret_key = os.getenv("FLASK_SECRET_KEY", secrets.token_hex(32))

0 commit comments

Comments
 (0)